Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continuous "reality tour" of meetings with customers, ISVs and Microsoft.

Wednesday, December 09, 2009

Password Security for Boneheads

That's the title of an interesting article I just read over at InfoWorld. The author points out that many web sites are just not secure with respect to how they store or require passwords:

More disturbing is the way password recovery works on some of these sites. At least half the time, when I get the (unencrypted) recovery e-mail, my password is right there in the message, in plain text. That means the site is storing all those passwords in plain text in a database -- one that's being backed up somewhere and is probably readable by a significant number of admins and possibly anyone who happens to snag a backup tape. It's a catastrophe waiting to happen.

I agree - and I am sure most of you do also - that this is catastrophes waiting to happen and many have already happened! The problem is so much is now tied to our identities that it is nearly impossible to protect ourselves effectively. I once asked a lady in front of me at the grocery store why she wrote a check rather than use a debit/credit card to pay for her purchases and she responded with "I've never had my identity stolen via a check". Good point lady.

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not represent those of my employer or anyone else for that matter. View this blog's privacy policy here.16 CFR § 255.5 disclosure: I am an employee of Quest Software.